Back to skill
Skillv2.0.1
ClawScan security
Swagger Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (generate and manage OpenAPI specs) and has no network/exfiltration or unrelated credential requests, but it persistently logs user inputs to a folder in the user's home directory — avoid pasting secrets into it or review/relocate the data directory first.
- Guidance
- This skill is coherent with its stated purpose and does not try to access external credentials or network resources. However, the included script logs every command input to $HOME/.local/share/swagger-generator (per-command .log files and history.log) and can export those logs. Before using: (1) avoid entering real secrets/API keys or sensitive request bodies into the tool; (2) inspect the script if you want to change the DATA_DIR location or file permissions; (3) if you do use it with sensitive data, delete the data directory afterward (rm -rf ~/.local/share/swagger-generator) or modify the script to store logs in a secure location; (4) if you need a stricter privacy posture, run the SKILL.md instructions without executing the shipped script or ask the author for a version that does not persist inputs.
Review Dimensions
- Purpose & Capability
- okName/description (OpenAPI/Swagger generation) match the provided CLI-like instructions (spec, endpoint, model, crud, auth, etc.) and the included script implements matching commands for generating, validating, formatting, linting, exporting and similar operations.
- Instruction Scope
- noteSKILL.md describes command usage but does not mention that the shipped script persistently logs all command inputs. scripts/script.sh records inputs (timestamp|input) into files under $HOME/.local/share/swagger-generator and provides export/search features; this is within the skill's functional scope but is an implementation detail users should be aware of because it can capture sensitive text the user passes to the tool.
- Install Mechanism
- okNo install spec and no external downloads; the skill is instruction-plus-a-local-shell-script only, so nothing is fetched from third-party hosts at install time.
- Credentials
- noteThe skill requests no environment variables or credentials (none declared). However, the script persists arbitrary user inputs to a local data directory; if users include credentials or tokens in endpoint descriptions, those will be stored on disk. There are no requests for unrelated external credentials.
- Persistence & Privilege
- noteThe script creates and writes to $HOME/.local/share/swagger-generator (history.log and per-command .log files) and can export those logs to JSON/CSV/TXT. always:false and no elevated privileges. Persistence is limited to the user's home directory, but it does retain copies of provided inputs until deleted.